A security researcher demonstrated how millions of Samsung phones can be turned into remote listening tools at a hacker security conference in London. (Kārlis Dambrāns / Flickr Creative Commons photo)
A new report indicates a security flaw in hundreds of millions of Samsung phones can allow patient hackers to turn devices into remote listening tools.
The vulnerability is said to affect an authentication and update tool used for Samsung’s customized version of the SwiftKey keyboard — specifically, the Samsung-developed input method element (IME). An IME allows users to type symbols and characters not found on a keyboard, usually for another language. The most common IME transforms a Latin-style alphabet (think QWERTY) into one that can type Chinese, Korean and Arabic characters among others.
The flaw is exposed in the update mechanism Samsung uses to grab new versions of the Samsung-developed SwiftKey IME whenever a new one is available. According to Ars Technica, Samsung devices don’t encrypt the file containing the update, which can allow hackers operating on the same network — like an unsecured Wi-Fi network — to hijack the update download in transit and modify or replace it with malicious code.
The exploit was first demonstrated this week at a hacker security conference in London (although a video showing the same exploit has been unlisted on YouTube since last December). Ryan Welton, the researcher who discovered the flaw, said he was able to identify various models of Samsung Galaxy-branded phones affected by the security flaw, including the Samsung Galaxy S6 (Verizon, Sprint), the Samsung Galaxy S5 (T-Mobile) and the Samsung Galaxy S4 Mini (AT&T), although the exploit could affect other Samsung Galaxy phones as well.
Welton said the attack could allow hackers to commandeer the camera and microphones on a Samsung phone as well as read text messages, view call log data and access other functions of the phone.
The flaw doesn’t affect SwiftKey’s own developed keyboard, which is available for download in the Google Play store. Nor does it seem to affect any other keyboard that can be installed on Samsung’s Android phones.
The bad news is there isn’t definitive way for ordinary Galaxy phone users to avoid this bug while using Samsung’s devices in the way Samsung intends. The IME ships on every modern Samsung-manufactured smartphone, and users can’t normally disable or uninstall it.
The good news is the exploit is only triggered when Samsung checks for an update to the IME. And it isn’t immediately clear when or how often Samsung devices check for the update. That means hackers will have to wait for devices to trigger the update before the exploit can be effective, which will require a mixture of an unsecured network and a lot of patience.
The other bit of good news, as pointed out by Android Police, is that the exploit was only tested on devices running older versions of Samsung’s “firmware,” the permanent operating software programmed into a phone’s memory. So it’s unclear whether newer phones are even affected by the glitch. Still, phones that are affected by the bug can be rooted to completely remove Samsung’s IME from the device, although this requires a bit of technical know-how that ordinary users are unlikely to do (rooting can also void a phone’s warranty).
SwiftKey has since released a statement saying it is aware of a “security issue related to the Samsung stock keyboard that uses SwiftKey’s SDK” and that it is “investigating” the issue. The company confirms version of its keyboard in the Google Play and Apple App stores are not affected by the bug.